views:

38

answers:

2

It it safe to use the built in session creator in PHP? My worry is that someone could hijack the token cookie on another persons machine, and set theirs to exactly the same, therefore tricking the server into thinking that they're the same person.

Is there protection (e.g. IP checks) to stop this or should I be using something more secure?

+1  A: 

PHP does not perform any IP checking, for the simple reason it won't work 100% of the time.

So yes, you can hijack a session. If you want to increase the security, you need to build mechanisms on top of that. Take a look at http://phpsec.org/projects/guide/4.html for some pointers.

Paul Dixon
Thanks for the help :)
TomC
A: 

Yes, it is theoretically possible to hijack the token cookie on another persons machine, but in fact, every site in the world using it. including Stackoverflow. If you hijack my cookie, you can login into my account. So what?

Col. Shrapnel
I'm sure you wouldn't want people viewing any sensitive info you have online
TomC
@TomC I am not asking you what I want. I am telling you SO using such a token. May be it's not THAT dangerous as you imagine?
Col. Shrapnel